[IP] Tech Review article about hashing passwords

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Tech Review article about hashing passwords
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 4 Aug 2004 14:52:49 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: "Bosley, John - BLS" <Bosley.John@xxxxxxx>
Date: August 4, 2004 1:26:40 PM EDT
To: "'Dave Farber (farber@xxxxxxxxxxxxx)'" <farber@xxxxxxxxxxxxx>
Subject: Tech Review article about hashing passwords

For IP if deemed worthy

http://www.technologyreview.com/articles/04/08/wo_garfinkel080404.asp
<http://www.technologyreview.com/articles/04/08/wo_garfinkel080404.asp>



John Bosley
Office of Survey Methods Research
Room 1950, Bureau of Labor Statistics
202-691-7514
fax 202-691-7426

Fingerprinting Your Files

"Hash" functions identify digital content with mathematicalcertainty—but is that enough to foil the hackers?




By Simson Garfinkel
 The Net Effect
8/04/2004


SUMMARY PRODUCED BY OS X

Wily hackers in Russia, China, and other countries send out piles ofe-mail messages looking like they came from some financial institutionsuch as Citibank or Paypal.... You're prompted to enter a username andpassword and then—wham—the hacker has the keys to your bank account.

...This makes memorization easier, but it means that an unscrupulouswebsite operator can take a list of usernames and passwords from, say,an Internet sweepstakes site and use it to try to break into onlinebank accounts.

So Stanford cryptographers Blake Ross, Dan Boneh, and John Mitchellhave designed a clever plug-in for Internet Explorer that solves thisproblem by scrambling what you type into the password field so everywebsite sees a different password—a password that’s based both on whatyou type and on the domain of the website itself.

...The password scrambling method that the Stanford trio has devised isbased on a mathematical function called a cryptographic hash—a kind ofone-way function that transforms what the user types into a jumble ofnumbers and letters in a way that cannot be reversed. Because theStanford system calculates the cryptographic hash of both the website’sdomain and the user’s password, the hacker gets different passwordsthan the legitimate ones.

...When you type your password into the login screen, your browsertakes your password, appends these characters provided by Yahoo!, andcalculates the cryptographic hash of the resulting string.... Even ifyou are at a cybercafe having your Web traffic sniffed by Belgiumhackers, there’s no way for the bad guys to take the resulting hashvalue and derive your original password.

...So that you can get an idea of how these fingerprinting functionswork, we've embedded a JavaScript-based MD5 calculator below.

...The hash functions were envisioned as a kind of cryptographiccompression system—a way to take a large file and crunch it down to ashort string of letters and numbers.

...Because public-key cryptography involves a lot of heavy-duty math,hash functions make it almost as fast to sign an extremely long file asto sign a short file.


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Click at your own risk
Next by Date: [IP] Lingo - the VoIP Service from HELL
Previous by thread: [IP] Click at your own risk
Next by thread: [IP] Lingo - the VoIP Service from HELL
Index(es):
- Date
- Thread